The lax computer security of British MPs - as detailed in their own tweets

Kudos to Nadine Dorries, the British MP for Mid-Bedfordshire, who has bravely exposed the appalling computer security practices that she and her fellow politicians have in place.

My staff log onto my computer on my desk with my login everyday. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous !!

Now, to be fair, Nadine probably though she was simply supporting First Secretary of State Damian Green after revelations by a retired detective that thousands of legal pornographic images were found on his Dell PC at Portcullis House in 2008.

Damian Green, who is deputy to British Prime Minister Theresa May (not to be confused with British glamour model Teresa May), says he has never watched or downloaded porn on the computer.

And Nadine Dorries attempted to support her colleague by explaining that she allowed her staff and interns to log into her computer with her password “everyday”.

When security-minded folks on Twitter began to criticise Nadine’s cavalier attitude to security (particularly pertinent in light of recent targeted computer attacks on Westminster) some of her colleagues jumped to *her* defence.

I certainly do. In fact I often forget my password and have to ask my staff what it is.

It would perhaps be churlish to suggest that Will Quince is preparing his alibi should porn ever be found on his PC.

And, if Nadine Dorries is to be believed, Damian Green is not the only MP who may have to face awkward questions about porn being found on their PC. No, because over the weekend Nadine claimed that *every* single MP’s PC (including hers, presumably) has been used to access porn.

I’m sure if the computers of all MPs - including Labour ones, were investigated there would be a record of porn being accessed. There would, in all cases, be zero proof of who it was who accessed it.

Oh dear… She’s wrong, of course. I would bet my bottom dollar that there is plenty of information on her PC that would be of value to criminals (they’d probably ignore the porn). It’s not just the personal information of the people she corresponds with, but also the fact that her PC, email and social media accounts could be used as a launchpad for attacks against others.

And what worries me from the above tweets is that Nadine Dorries doesn’t seem to be an isolated case. And it should worry you too if you’re a constituent of an MP who has adopted similarly lax IT security measures.

And it should worry us all if the very people who are tasked with legislating on internet privacy and security issues are proving to be so utterly clueless.

For more discussion on this topic, be sure to listen to this episode of the Smashing Security podcast:

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

Am I being cynical here - but a stream of MPs lining up to say, in public, that other people have access to their computers, sounds like they are preparing a line of defence for when someone leaks information on what is on their computer (and shouldn’t be).

No sane person would admit to being that stupid, unless they were trying to hide a bigger problem…

Wow! And these are the ones who say that the likes of the public shouldn’t be allowed to use strong encryption.

Good to see that the Cabinet Office and Home Office spending on Cyber Streetwise has been such a resounding success in Westminster.

So far as many employers are concerned, possession of pornography on a work-provided computer is case for a disciplinary action up to and including dismissal. Or don’t these sort of rules apply to MPs and their staff?

Graham Cluley said:-
“Oh dear… She’s wrong, of course. I would bet my bottom dollar that there is plenty of information on her PC that would be of value to criminals (they’d probably ignore the pawn).”

pawn
noun
a chess piece of the smallest size and value, that moves one square forwards along its file if unobstructed (or two on the first move), or one square diagonally forwards when making a capture. Each player begins with eight pawns on the second rank, and can promote a pawn to become any other piece (typically a queen) if it reaches the opponent’s end of the board.

a person used by others for their own purposes.

Or did you really mean that Graham? in which case I’m laughing out loud :)

As only who listens to the podcast will know, I’m rather obsessed with chess. In fact, Mrs Cluley has said that she doesn’t have to worry about me doing naughty things on the internet as whenever she catches me watching videos in the dead of the night it’s almost always one of the chess tournaments on YouTube…

What’s scarier is that she’s actually registered with the ICO as a Data Controller https://ico.org.uk/ESDWebPages/Entry/Z1716668 yet she then admits to using bad infosec security practices. Worse still, she considers that the information she processes has little value as she is not in government. Given the types of data mentioned in the Data Controller registration, I would certainly beg to differ.

Here in Denmark we had a case where sensitive information from a police database were leaked to the press. An investigation revealed that too much security was to blame… read on for an explanation.

The security was high. Only one or maybe two senior people had access to any kind of sensitive information, but in the course of the daily work other aspects of this information was needed by other officers. As the senior people often were away at meetings or tasks, and their access to information was needed on a daily basis, a culture of logging in early and staying logged in all day developed. The terminal was located near the service counter at most police stations and thus not only everybody working there (officers, office staff etc.) but also visitors coming in from the street, had access. It was left completely unlocked all day and had full access. The blame for the leak was never placed (could be anybody) but security procedures were updated and now everybody with terminal access has access to the sensitive information but it is logged exactly who searches for what and when, and idle users are logged out quickly.

None of this is a surprise for anyone that has worked in IT support at local gov or in private business with regulatory obligations and responsibilities. I’ve seen horrendous practises not just instigated but encouraged with the sole purpose of covering up the fact that staff are clueless (including manager level and beyond). Rather than acknowledge that training or hiring of competent people is required, it seems preferred to cover that fact up with crazy breaches of common sense like this. I have tried to be part of the solution - called it out, suggested / designed secure alternatives but you hear the same rejections - ‘too difficult’, ‘too slow’, or, my favourite - ‘stop being a negative person’. It’ll never change until the quality of staff does.

Smashing Security podcast

Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!